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Sophos Group 

Company Facts 



Utimaco Safeware AG 



■ Headquarters in Oberursel and Aachen, Germany 

■ 163 employees 

■ € 37.7 million revenues (fiscal year 10/11) 
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Sophos PLC 



■ Headquarters in Oxford, UK and 
Burlington, MA, USA 

■ 1 ,800 employees 

■ $ 340 million revenues (fiscal year 10/11) 




Sophos is a world leader 
in IT security and control 
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Utimaco LIMS 

Competence in Lawful Interception 



♦ 

♦ 

♦ 

♦ 

♦ 

♦ 

♦ 



Utimaco has been providing LI solutions since 1994 
Market leader in Germany 

Worldwide operations: more than 180 installations in 60 countries 

Lawful Interception and Data Retention Systems 
for 10 thousands to millions of subscribers 

Strong partnerships with leading telecom infrastructure vendors 

Compliant to international LI standards of ETSI, 3GPP, ANSI/ATIS, 
CableLabs and active member of ETSI TC LI 

Conform to numerous national telecommunication laws 



© Utimaco Safeware AG 



5 



utimaco* 

a memtier of the Sophos Group 




Cloud Computing 

Definitions 

♦ Wikipedia: 

► the provision of computational resources on 
demand via a computer network.” 

♦ NIST: 

► “Cloud computing is a model for enabling convenient, 
on-demand network access to a shared pool of 
configurable computing resources (e.g., networks, 
servers, storage, applications, and services) that can 
be rapidly provisioned and released with minimal 
management effort or service provider interaction.” 

♦ Sun Microsystems 

► „the network is the computer" (late 1 980s) 
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Cloud Computing 

Types 

♦ Public Clouds 

► Exclusive Cloud 

■ Partners with established relationships only 

► Open Cloud 

■ For all possible customers 

♦ Private Clouds 

► Internal company/department use only 

♦ Hybrid Clouds 

► Mixture of public & private clouds depending 
on service 
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Cloud Computing 

Characteristics 

♦ Services are offered transparently to users 

♦ Comparable to other services iike power, gas, water 

♦ Abstract from iT-infrastructure 

♦ IT-infrastructure is task of cioud provider 

♦ Subscribers can use services as needed without having to instaii a 
(oniy partiaiiy used) infrastructure 

♦ (Distributed) datacenters 

♦ Up-date infrastructure 

♦ High-avaiiabiiity & disaster revocery 

♦ Security stili discussed 
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Cloud Computing 

Service Levels 



♦ laaS 

► Infrastructure-only cloud 

► Middleware & applications from software/service provider 

♦ PaaS 

► Platform cloud 

► Only application from software/service customer 

♦ SaaS 

► Software 

► Complete offering to end-user 
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Cloud Computing 

Some Providers of Cloud-based Services 
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Cloud Computing 

Pros & Cons 

o 

♦ Significant cost savings possible 

♦ Pay for need only, not for 
infrastructure 

♦ Possibly better reliabilty 

♦ Possibly better security 

♦ Location independent 

♦ Device independent 

♦ Up-to-date services (e.g. patching 
done by provider) 

♦ Scales very well 

♦ Easier maintenance 
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e 

♦ Customer looses control over data 

♦ Network connections critical 

(is this really a risk nowadays???) 

♦ Security 

♦ Legal 

♦ SLAs, QoS (complex contracts) 

♦ Compliance often unclear 
(laws not made for clouds) 

♦ Provider lock-in 

♦ APIs typically not standardized (yet) 

♦ What happens if cloud service is 
terminated? 
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Cloud Computing 

Legal Issues 

♦ Location of storage, servers etc. might not be known 

► Might even not be known by the service provider himself 

► Location might change during usage 

♦ But: Many large service providers have regional/local datacenters serving 
customers in this region 

♦ Which laws do apply? 

► The country where the customer is located? 

► The country of the service provider? 

► The country where the infrastructure is located? 

► One of the above depending on situation? 

► Situation might change even during one session 

► Compliance requirements (e.g. auditing, reporting) 

► Laws might even contradict each other 
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Cloud Computing 

Regional Distribution 
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Cloud Computing 

Legal Issues - Theoretical example 

♦ Service provider located in US 

► For the service provider, US-laws apply 

♦ Customer located in EU (Germany) 

► For the customer relation, German laws apply (probably) 

♦ Data Centers located in Ireland, Norway and Switzerland 

► For DC in Ireland EU-laws apply, but not for DCs Norway and Switzerland 

► Data is possibly stored in all DCs above and/or moved automatically 
between them 
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Cloud Computing 

Security Challenges 

♦ System complexity 

♦ (Shared) Multi-Tenant environment 

♦ Internet-facing services (remote administration mandatory) 

♦ Data protection 

► Data must be segregated for each customer 

► Logs/auditing/monitoring must include 
even privileged users 

► Encryption of stored data preferrable 

► Data Leakage Prevention? 

► Authentication/Identity Management 

► Physical security of datacenters 

► Availability/Reliability/Business Continuity/Disaster Recovery 

► Application security (incl. application-level firewall) 
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Cloud Computing 

Security Advantages 

♦ Staff specialization at cloud provider 

♦ Platform strenght 

► more homogenous environment 

► easier to secure, patch & audit 

► mostly an advantage, but might be endangered by one specific threat 

♦ Resource availability due to scalability 

♦ Backup & Recovery 

► Especially if data is stored in diverse locations 

♦ Mobile endpoints 

► No/minimal need to store sensitive data on mobile devices 
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Cloud Computing 

Lawful Interception - LEAs Interest 

♦ Bad guys use cloud services, too 

♦ Communication 

► e.g. Google mail 

♦ Stored data 

► e.g. Dropbox 

♦ Service usage 

► e.g. Google Maps 

♦ Publications 

► e.g. Facebook 

► Anders Breivik 

More and more information is handled by the cloud 

- one reason is exploding mobile access (iPhone, Android) 
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Cloud Computing 

Lawful Interception - Fundamental Aspects 

♦ In „classic“ LI, telecommunication services are intercepted (data in 
motion) 

► Which cloud computing services are telecommunications? 

■ Google Mail: yes 

■ Dropbox: ? 

♦ Data stored in the cloud (data at rest) 

► Which laws allow LEAs to access the data in the cloud? 

► Which data of which subscribers are covered by these laws? 

► Access to stored data typically not in real-time 

► How to access the data? 
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Cloud Computing 

Lawful Interception in Clouds - Challenges 1/2 

♦ Targets might use cloud services via access paths not intercepted 

♦ End-to-end encrypted cloud services 

► IRI might be obtainable 

► CC only interceptable on the end-points (CPE or cloud provider) 

► End-to-end encryption increasingly offered by cloud providers 

► Security enhancements (e.g. two-factor authentication by Facebook) 

♦ Legal situation often very unclear 

► Easy for US-based LEAs 

► Difficult for non-US-based LEAs 

► Cloud providers often face contradicting laws 
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Cloud Computing 

Lawful Interception in Clouds - Challenges 2/2 

♦ Infrastructure of many clouds is technically quite autonomous 

► Virtualized servers 

■ actual computing instance might change on the fly 

► Redundant storage 

■ data typically stored in different locations, locations might change 
on the fly 

♦ Dynamics above are a fundamental aspect of clouds 

► At the same time, basics for some of the cloud advantages 

♦ Conflicts between these technical aspects and legal framework 
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Cloud Computing 

Lawful Interception - Recent Developments 

♦ LEAs can mostly access the data stored in clouds 

► But legal framework often unclear 

► Different/contradicting laws in different countries 

► No standardized access (yet) 

► Requests in US and Europe for easier access of LEAs to data 

♦ Extensive privacy discussions in Europe 

► Google Streetview 

► Interception of WiFi traffic by Google Streetview cars 

► Facebook handling of user data 

♦ Work item for a Technical Report for LI in Clouds in ETSI TC LI 




© Utimaco Safeware AG 



21 



utimaco'^ 

a memtier of the Sophos Group 



Cloud Computing 

A Final Word 

“The only problem with the cloud Is 
that at some point It will rain.” 

Reinhard Posch, CIO for the Austrian Federal Government at EIC 
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Business Development LIMS 
Phone: +49 241 1696-248 
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http://lims.utimaco.com 
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